Guest Baron Thener Posted November 26, 2008 Posted November 26, 2008 Dear all, Our network was attacked recently, our antivirus mcafee detect the attack as bo:stack blocked by bufferflow. some computer was infected some of them was our critical servers. the symptoms was everytime we logon to windows the system "Generic Host Process for Win32 Services Error" it stop the server, computer browser and distribute file services. These services is done by the svchost.exe My question is: 1. If the svchost.exe is corrupted is there anyway to replace the file with another clean and functional svchost.exe? Thanks you for the answers. best regards, Baron Quote
Guest David H. Lipman Posted November 26, 2008 Posted November 26, 2008 From: "Baron Thener" <BaronThener@discussions.microsoft.com> | Dear all, | Our network was attacked recently, our antivirus mcafee detect the attack as bo::stack blocked by bufferflow. some computer was infected some of them was | our critical servers. the symptoms was everytime we logon to windows the | system "Generic Host Process for Win32 Services Error" it stop the server, | computer browser and distribute file services. These services is done by the | svchost.exe | My question is: | 1. If the svchost.exe is corrupted is there anyway to replace the file with | another clean and functional svchost.exe? | Thanks you for the answers. | best regards, | Baron It sounds like the Buffer Overflow detection kicked in in McAfee Enterprise v8.50i. Yes ? You don't replace SVCHOSTS.EXE. That's the server of servers in Windows. You have to find what was injected into the service. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Baron Thener Posted November 26, 2008 Posted November 26, 2008 Dear David, That right, do you have any suggestion on how to trace this infection? because it's cantaminating all the user PC's also. I think the mcafee still blocking it. but some of our servers have been disable. how to fix it without formatting the servers? because we tried to repair the windows but it didn't work. Thanks a lot for your answer. "David H. Lipman" wrote: <span style="color:blue"> > From: "Baron Thener" <BaronThener@discussions.microsoft.com> > > | Dear all, > | Our network was attacked recently, our antivirus mcafee detect the attack as > bo::stack blocked by bufferflow. some computer was infected some of them was > | our critical servers. the symptoms was everytime we logon to windows the > | system "Generic Host Process for Win32 Services Error" it stop the server, > | computer browser and distribute file services. These services is done by the > | svchost.exe > > | My question is: > | 1. If the svchost.exe is corrupted is there anyway to replace the file with > | another clean and functional svchost.exe? > > | Thanks you for the answers. > > | best regards, > > | Baron > > It sounds like the Buffer Overflow detection kicked in in McAfee Enterprise v8.50i. Yes ? > > You don't replace SVCHOSTS.EXE. That's the server of servers in Windows. > > You have to find what was injected into the service. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest David H. Lipman Posted November 26, 2008 Posted November 26, 2008 From: "Baron Thener" <BaronThener@discussions.microsoft.com> | Dear David, | That right, do you have any suggestion on how to trace this infection? | because it's cantaminating all the user PC's also. I think the mcafee still | blocking it. but some of our servers have been disable. how to fix it without | formatting the servers? because we tried to repair the windows but it didn't | work. | Thanks a lot for your answer. You already have McAfee so use the following Multi AV Scanning Tool's Sophos and Trend Micro modules to scan an infected server. When using the Trend Micro module, you can disable the Spyware scanner capability. You may want to concentrate on the c:\windows (c:\winnt) tree. Download MULTI_AV.EXE from the URL -- http://www.pctip.ch/ds/28400/28470/Multi_AV.exe or http://212.98.39.7/ds/28400/28470/Multi_AV.exe http://www.pctip.ch/downloads/dl/35905.asp or http://212.98.39.7/downloads/dl/35905.asp English: http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. Additional Instructions: http://pcdid.com/Multi_AV.htm Please report back your results -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Baron Thener Posted November 27, 2008 Posted November 27, 2008 One More thing Dave before I try this on. is there anyway to update this multiscan manualy? because the infected server cannot connect to the network properly so it could not get an update from the internet. an also do you have any suggestion to trace the source of this buffer overflow infection? Thanks, baron "David H. Lipman" wrote: <span style="color:blue"> > From: "Baron Thener" <BaronThener@discussions.microsoft.com> > > | Dear David, > | That right, do you have any suggestion on how to trace this infection? > | because it's cantaminating all the user PC's also. I think the mcafee still > | blocking it. but some of our servers have been disable. how to fix it without > | formatting the servers? because we tried to repair the windows but it didn't > | work. > | Thanks a lot for your answer. > > You already have McAfee so use the following Multi AV Scanning Tool's Sophos and Trend > Micro modules to scan an infected server. > > When using the Trend Micro module, you can disable the Spyware scanner capability. > > You may want to concentrate on the c:windows (c:winnt) tree. > > Download MULTI_AV.EXE from the URL -- > http://www.pctip.ch/ds/28400/28470/Multi_AV.exe > or > http://212.98.39.7/ds/28400/28470/Multi_AV.exe > > http://www.pctip.ch/downloads/dl/35905.asp > or > http://212.98.39.7/downloads/dl/35905.asp > > English: > http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ > > > To use this utility, perform the following... > Execute; Multi_AV.exe { Note: You must use the default folder C:AV-CLS } > Choose; Unzip > Choose; Close > > Execute; C:AV-CLSStartMenu.BAT > { or Double-click on 'Start Menu' in C:AV-CLS } > > NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your > FireWall to allow it to download the needed AV vendor related files. > > C:AV-CLSStartMenu.BAT -- { or Double-click on 'Start Menu' in C:AV-CLS} > This will bring up the initial menu of choices and should be executed in Normal Mode. > This way all the components can be downloaded from each AV vendor's web site. > The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. > > You can choose to go to each menu item and just download the needed files or you can > download the files and perform a scan in Normal Mode. Once you have downloaded the files > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key > during boot] and re-run the menu again and choose which scanner you want to run in Safe > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. > > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help > file. > > Additional Instructions: > http://pcdid.com/Multi_AV.htm > > > Please report back your results > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest David H. Lipman Posted November 27, 2008 Posted November 27, 2008 From: "Baron Thener" <BaronThener@discussions.microsoft.com> | One More thing Dave before I try this on. is there anyway to update this | multiscan manualy? because the infected server cannot connect to the network | properly so it could not get an update from the internet. an also do you have | any suggestion to trace the source of this buffer overflow infection? | Thanks, | baron Yes. Read the included PDF Help File on the use of a surrogate PC to download all files and then transfer and run on an infected computer. As for tracing this... That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or through SMB TCP 445 ? Have you put a packet sniffer on any nodes ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest JezRobinson Posted November 27, 2008 Posted November 27, 2008 Hi, This problem appears to be related to the Microsoft Vulnerability that allows remote code execution on ports 139 and 445. Check to make sure you have hot fix 958644 installed. http://www.microsoft.com/technet/security/...n/MS08-067.mspx There is a large amount of activity on the web with variants of a virus published last week. So install the Hot Fix and reboot, hopefully that will solve your problem. Over and out. -- JezRobinson ------------------------------------------------------------------------ JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm View this thread: http://forums.techarena.in/security-virus/1077813.htm http://forums.techarena.in Quote
Guest Jez Robinson Posted November 27, 2008 Posted November 27, 2008 Hi, This problem appears to be related to the Microsoft Vulnerability that allows remote code execution on ports 139 and 445. Check to make sure you have hot fix 958644 installed. http://www.microsoft.com/technet/sec.../MS08-067.mspx There is a large amount of activity on the web with variants of a virus published last week. So install the Hot Fix and reboot, hopefully that will solve your problem. Over and out. "David H. Lipman" wrote: <span style="color:blue"> > From: "Baron Thener" <BaronThener@discussions.microsoft.com> > > | One More thing Dave before I try this on. is there anyway to update this > | multiscan manualy? because the infected server cannot connect to the network > | properly so it could not get an update from the internet. an also do you have > | any suggestion to trace the source of this buffer overflow infection? > | Thanks, > > | baron > > Yes. Read the included PDF Help File on the use of a surrogate PC to download all files > and then transfer and run on an infected computer. > > As for tracing this... > That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or > through SMB TCP 445 ? > > Have you put a packet sniffer on any nodes ? > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest bredtracer Posted November 28, 2008 Posted November 28, 2008 Well my friends I maybe new here but this problem is not new to me. Actually whenever I formatted my PC and installed a fresh copy of Windows XP SP2 version this problem would surface. As Jez rightly pointed out you need that hotfix and even then some people might continue to experience the problem as I did too. I did a Google search of it and got the remedy from a forum like this. It was a software installing which the problem never troubled me. As I said already this situation has encountered by me many times so am sure of what I said. I guess you people can also locate the software am talking about by searching it for some time. -- bredtracer ------------------------------------------------------------------------ bredtracer's Profile: http://forums.techarena.in/members/bredtracer.htm View this thread: http://forums.techarena.in/security-virus/1077813.htm http://forums.techarena.in Quote
Guest Baron Thener Posted November 29, 2008 Posted November 29, 2008 Dear Jez. Thanks for the update. I've tried the hotfix. well, see in a couple of days. and I'll report in this newsgroup again. thanks. Baron "JezRobinson" wrote: <span style="color:blue"> > > Hi, > > This problem appears to be related to the Microsoft Vulnerability that > allows remote code execution on ports 139 and 445. > > Check to make sure you have hot fix 958644 installed. > > http://www.microsoft.com/technet/security/...n/MS08-067.mspx > > There is a large amount of activity on the web with variants of a virus > published last week. > > So install the Hot Fix and reboot, hopefully that will solve your > problem. > > Over and out. > > > -- > JezRobinson > ------------------------------------------------------------------------ > JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm > View this thread: http://forums.techarena.in/security-virus/1077813.htm > > http://forums.techarena.in > > </span> Quote
Guest Baron Thener Posted November 29, 2008 Posted November 29, 2008 Dear Dave, You got some heavy duty antivirus there. but it doesn't find the cause of the bo:stack buffer overflow. it capture some virus in several servers but the virus was not the same in every servers. The reporting about buffer overflow has been rare since I tried the hotfix from jez robinson and other windows critical update from windows update. We'll see for a couple days if something come out again I'll come back to this forum. Thanks a lot for the antivirus though. It really useful. best regards, Baron "David H. Lipman" wrote: <span style="color:blue"> > From: "Baron Thener" <BaronThener@discussions.microsoft.com> > > | One More thing Dave before I try this on. is there anyway to update this > | multiscan manualy? because the infected server cannot connect to the network > | properly so it could not get an update from the internet. an also do you have > | any suggestion to trace the source of this buffer overflow infection? > | Thanks, > > | baron > > Yes. Read the included PDF Help File on the use of a surrogate PC to download all files > and then transfer and run on an infected computer. > > As for tracing this... > That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or > through SMB TCP 445 ? > > Have you put a packet sniffer on any nodes ? > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest Baron Thener Posted November 29, 2008 Posted November 29, 2008 Dear bredtracer, We never experince anything like this before. and the the virus / maleware or what ever this is is attacking multiply windows platform from windows server 2000, server 2003, server 2003 R2, and XP SP2 Thanks for your reply. baron "bredtracer" wrote: <span style="color:blue"> > > Well my friends I maybe new here but this problem is not new to me. > Actually whenever I formatted my PC and installed a fresh copy of > Windows XP SP2 version this problem would surface. As Jez rightly > pointed out you need that hotfix and even then some people might > continue to experience the problem as I did too. I did a Google search > of it and got the remedy from a forum like this. It was a software > installing which the problem never troubled me. > As I said already this situation has encountered by me many times so am > sure of what I said. I guess you people can also locate the software am > talking about by searching it for some time. > > > -- > bredtracer > ------------------------------------------------------------------------ > bredtracer's Profile: http://forums.techarena.in/members/bredtracer.htm > View this thread: http://forums.techarena.in/security-virus/1077813.htm > > http://forums.techarena.in > > </span> Quote
Guest David H. Lipman Posted November 29, 2008 Posted November 29, 2008 From: "Baron Thener" <BaronThener@discussions.microsoft.com> | Dear Dave, | You got some heavy duty antivirus there. but it doesn't find the cause of | the bo:stack buffer overflow. it capture some virus in several servers but | the virus was not the same in every servers. | The reporting about buffer overflow has been rare since I tried the hotfix | from jez robinson and other windows critical update from windows update. | We'll see for a couple days if something come out again I'll come back to | this forum. Thanks a lot for the antivirus though. It really useful. | best regards, | Baron You need to do some packet sniffing and find what computers on your LAN are infected and searching out OTHER computers through TCP ports 135 and 445. You need to isolate your network from the WAN better with a FireWall as well. You indicated that there were "...some virus in several servers..." Please identify exactly what was found. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Kayman Posted November 30, 2008 Posted November 30, 2008 On Fri, 28 Nov 2008 23:47:00 -0800, Baron Thener wrote: <span style="color:blue"> > Dear Jez. > Thanks for the update. I've tried the hotfix. well, see in a couple of days. > and I'll report in this newsgroup again. > thanks. > Baron > > "JezRobinson" wrote:<span style="color:green"> >> >> Hi, >> This problem appears to be related to the Microsoft Vulnerability that >> allows remote code execution on ports 139 and 445. </span></span> Seconfig XP 1.1 http://seconfig.sytes.net/ Seconfig XP is able configure Windows not to use TCP/IP as transport protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139 and 445 (the most exploited Windows networking weak point) closed.) Quote
Guest David H. Lipman Posted November 30, 2008 Posted November 30, 2008 From: "Kayman" <kaymanDeleteThis@operamail.com> | Seconfig XP 1.1 | http://seconfig.sytes.net/ | Seconfig XP is able configure Windows not to use TCP/IP as transport | protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139 | and 445 (the most exploited Windows networking weak point) closed.) Kayman: He indicated these are servers. They are not home computers and they are partipating in a LAN. Closing these ports could have disasterous effects on LAN communications. Your advice is contraindicated. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Baron Thener Posted November 30, 2008 Posted November 30, 2008 Dear Jez, I tried to update the windows using this hotfix. it wen't well in the windows 2000 server and windows 2003 r2. but one of our server using windows 2003 SP2 cannot be reach and cannot reach every network in our company. sthe strange thing is ping, internet conection is ok. I even can do remote using VNC to this server from other windows 2003 server. but if I use vista I could not remote the computer. everytime I go to run : \\computername it show: the network connection could not be reach this happen vise versa. is the hot fix close a port or something? if yes how do you open it again? Thanks "JezRobinson" wrote: <span style="color:blue"> > > Hi, > > This problem appears to be related to the Microsoft Vulnerability that > allows remote code execution on ports 139 and 445. > > Check to make sure you have hot fix 958644 installed. > > http://www.microsoft.com/technet/security/...n/MS08-067.mspx > > There is a large amount of activity on the web with variants of a virus > published last week. > > So install the Hot Fix and reboot, hopefully that will solve your > problem. > > Over and out. > > > -- > JezRobinson > ------------------------------------------------------------------------ > JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm > View this thread: http://forums.techarena.in/security-virus/1077813.htm > > http://forums.techarena.in > > </span> Quote
Guest Baron Thener Posted December 10, 2008 Posted December 10, 2008 Dear Jez, After trialing for this couple of days, we take preventive action to update the servers. for the last server that was infected we decided to formatting the server after we install the antivirus updating the windows update suddently the server service is down again. but without any virus warning. can it be the windows update contain some kind of bug? or the mcafee is the one causing this? I already run of Idea.. please advice Thanks "JezRobinson" wrote: <span style="color:blue"> > > Hi, > > This problem appears to be related to the Microsoft Vulnerability that > allows remote code execution on ports 139 and 445. > > Check to make sure you have hot fix 958644 installed. > > http://www.microsoft.com/technet/security/...n/MS08-067.mspx > > There is a large amount of activity on the web with variants of a virus > published last week. > > So install the Hot Fix and reboot, hopefully that will solve your > problem. > > Over and out. > > > -- > JezRobinson > ------------------------------------------------------------------------ > JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm > View this thread: http://forums.techarena.in/security-virus/1077813.htm > > http://forums.techarena.in > > </span> Quote
Guest Baron Thener Posted December 10, 2008 Posted December 10, 2008 Sorry for the late reply dave. it cought sality or something like that. i forgot cause i remove it once it detected. now it cause this in the event viewer : "Faulting application svchost.exe, version 5.2.3790.3959, faulting module shell32.dll, version 6.0.3790.4184, fault address 0x0014e84e" i already update the windows update and the antivirus also. "David H. Lipman" wrote: <span style="color:blue"> > From: "Baron Thener" <BaronThener@discussions.microsoft.com> > > | Dear Dave, > | You got some heavy duty antivirus there. but it doesn't find the cause of > | the bo:stack buffer overflow. it capture some virus in several servers but > | the virus was not the same in every servers. > > | The reporting about buffer overflow has been rare since I tried the hotfix > | from jez robinson and other windows critical update from windows update. > > | We'll see for a couple days if something come out again I'll come back to > | this forum. Thanks a lot for the antivirus though. It really useful. > > | best regards, > | Baron > > You need to do some packet sniffing and find what computers on your LAN are infected and > searching out OTHER computers through TCP ports 135 and 445. > > You need to isolate your network from the WAN better with a FireWall as well. > > You indicated that there were "...some virus in several servers..." > Please identify exactly what was found. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest The Other Mike Posted December 10, 2008 Posted December 10, 2008 On Tue, 9 Dec 2008 19:38:01 -0800, Baron Thener <BaronThener@discussions.microsoft.com> wrote: <span style="color:blue"> >Sorry for the late reply dave. it cought sality or something like that. i >forgot cause i remove it once it detected. now it cause this in the event >viewer : > >"Faulting application svchost.exe, version 5.2.3790.3959, faulting module >shell32.dll, version 6.0.3790.4184, fault address 0x0014e84e" > > >i already update the windows update and the antivirus also. ></span> Saw this thread and we recently went through a battle with a worm that sounds like what you have. After patching the servers/pc's that were infected, you still have to clean up those machines. The worm we had created a service on the servers and PC's. So even though you patch the machine, the service still ran...which would crash other machines it was trying to spread to that weren't patched. We deleted the registry keys mentioned in this alert on the infected machines... http://www.trendmicro.com/vinfo/virusencyc...NAD%2EA&VSect=T We also used a network sniffer to scan for port 445 requests and usually those PC's making alot of requests had this virus service still on them. Quote
Guest mike Posted December 13, 2008 Posted December 13, 2008 Hi! I had exactly the same problem on two of our 2003 servers (SP1). It occurred 2 days ago for the first time. I´ve found a workaround: I installed, in order: Hotfix KB914810 (included in SP2) Hotfix KB932762 Security update KB958644 However the root cause is still unclear. But I suspect the auto update service. It´s hosted by a svchost instance together with some important networkservices. greetings, Michael "Baron Thener" wrote: <span style="color:blue"> > Dear Jez, > After trialing for this couple of days, we take preventive action to update > the servers. for the last server that was infected we decided to formatting > the server after we install the antivirus updating the windows update > suddently the server service is down again. but without any virus warning. > can it be the windows update contain some kind of bug? or the mcafee is the > one causing this? I already run of Idea.. please advice > > Thanks > > "JezRobinson" wrote: > <span style="color:green"> > > > > Hi, > > > > This problem appears to be related to the Microsoft Vulnerability that > > allows remote code execution on ports 139 and 445. > > > > Check to make sure you have hot fix 958644 installed. > > > > http://www.microsoft.com/technet/security/...n/MS08-067.mspx > > > > There is a large amount of activity on the web with variants of a virus > > published last week. > > > > So install the Hot Fix and reboot, hopefully that will solve your > > problem. > > > > Over and out. > > > > > > -- > > JezRobinson > > ------------------------------------------------------------------------ > > JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm > > View this thread: http://forums.techarena.in/security-virus/1077813.htm > > > > http://forums.techarena.in > > > > </span></span> Quote
Guest Kris Antonius Posted December 15, 2008 Posted December 15, 2008 Hi Jez, Thanks for your solution, I have download hot fix for 958644 and install it and then restart, the virus not appear again. Quote
Guest Baron Thener Posted December 17, 2008 Posted December 17, 2008 Dear Mike, If The computer already infected by using this hotfix can it restore the computer condition before it get infected? Thanks "mike" wrote: <span style="color:blue"> > Hi! > > I had exactly the same problem on two of our 2003 servers (SP1). > It occurred 2 days ago for the first time. > I´ve found a workaround: > > I installed, in order: > > Hotfix KB914810 (included in SP2) > Hotfix KB932762 > Security update KB958644 > > However the root cause is still unclear. But I suspect the auto update > service. It´s hosted by a svchost instance together with some important > networkservices. > > greetings, > Michael > > "Baron Thener" wrote: > <span style="color:green"> > > Dear Jez, > > After trialing for this couple of days, we take preventive action to update > > the servers. for the last server that was infected we decided to formatting > > the server after we install the antivirus updating the windows update > > suddently the server service is down again. but without any virus warning. > > can it be the windows update contain some kind of bug? or the mcafee is the > > one causing this? I already run of Idea.. please advice > > > > Thanks > > > > "JezRobinson" wrote: > > <span style="color:darkred"> > > > > > > Hi, > > > > > > This problem appears to be related to the Microsoft Vulnerability that > > > allows remote code execution on ports 139 and 445. > > > > > > Check to make sure you have hot fix 958644 installed. > > > > > > http://www.microsoft.com/technet/security/...n/MS08-067.mspx > > > > > > There is a large amount of activity on the web with variants of a virus > > > published last week. > > > > > > So install the Hot Fix and reboot, hopefully that will solve your > > > problem. > > > > > > Over and out. > > > > > > > > > -- > > > JezRobinson > > > ------------------------------------------------------------------------ > > > JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm > > > View this thread: http://forums.techarena.in/security-virus/1077813.htm > > > > > > http://forums.techarena.in > > > > > > </span></span></span> Quote
Guest David H. Lipman Posted December 17, 2008 Posted December 17, 2008 From: "Baron Thener" <BaronThener@discussions.microsoft.com> | Dear Mike, | If The computer already infected by using this hotfix can it restore the | computer condition before it get infected? | Thanks NO ! A HotFix will only correct the vulnerability that was used in the exploit that got the PC infected. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Baron Thener Posted December 17, 2008 Posted December 17, 2008 Dear Dave, So how to restore the condition of the server before it get infected without have to reinstalling it? "David H. Lipman" wrote: <span style="color:blue"> > From: "Baron Thener" <BaronThener@discussions.microsoft.com> > > | Dear Mike, > | If The computer already infected by using this hotfix can it restore the > | computer condition before it get infected? > | Thanks > > NO ! > > A HotFix will only correct the vulnerability that was used in the exploit that got the PC > infected. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest David H. Lipman Posted December 17, 2008 Posted December 17, 2008 From: "Baron Thener" <BaronThener@discussions.microsoft.com> | Dear Dave, | So how to restore the condition of the server before it get infected without | have to reinstalling it? Tape for one. Otherwise you have to discern what was changed and undo said changes. In this case, I don't know what infected your Server and thus have no idea what changes were made. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.